diff options
-rw-r--r-- | src/policy-default.c | 44 | ||||
-rw-r--r-- | src/policy-deny.c | 56 |
2 files changed, 49 insertions, 51 deletions
diff --git a/src/policy-default.c b/src/policy-default.c index a09bb1a..8d70684 100644 --- a/src/policy-default.c +++ b/src/policy-default.c @@ -84,52 +84,14 @@ ivi_policy_default_surface_advertise_state_change(struct ivi_surface *surf, void return true; } -#ifdef HAVE_SMACK -static bool -ivi_policy_default_shell_bind_interface(void *client, void *interface) -{ - struct wl_interface *shell_interface = interface; - struct wl_client *conn_client = client; - - pid_t pid, uid, gid; - int client_fd; - char *label; - bool ret = false; - - wl_client_get_credentials(conn_client, &pid, &uid, &gid); - - client_fd = wl_client_get_fd(conn_client); - if (smack_new_label_from_socket(client_fd, &label) < 0) { - return ret; - } - - if (strcmp(shell_interface->name, "agl_shell") == 0) - if (strcmp(label, "User::App::homescreen") == 0) - ret = true; - - if (strcmp(shell_interface->name, "agl_shell_desktop") == 0) - if (strcmp(label, "User::App::launcher") == 0 || - strcmp(label, "User::App::alexa-viewer") == 0 || - strcmp(label, "User::App::tbtnavi") == 0 || - strcmp(label, "User::App::hvac") == 0) - ret = true; - - if (ret) - weston_log("Client with pid %d, uid %d, gid %d, allowed " - "to bind to %s for label %s\n", pid, uid, gid, - shell_interface->name, label); - - /* client responsible for free'ing */ - free(label); - return ret; -} -#else +/* we allow all applications to bind to private extensions. See the deny-all + * policy instead for how to retrieve the clients fd and its label to check + * against */ static bool ivi_policy_default_shell_bind_interface(void *client, void *interface) { return true; } -#endif static bool ivi_policy_default_allow_to_add(void *user_data) diff --git a/src/policy-deny.c b/src/policy-deny.c index 5b2336a..823f331 100644 --- a/src/policy-deny.c +++ b/src/policy-deny.c @@ -33,10 +33,26 @@ #include <string.h> #include "shared/helpers.h" +#ifdef HAVE_SMACK +static const char *const bind_agl_shell[] = { + "User::App::homescreen", + "User::App::cluster-gauges" /* cluster-dashboard */ +}; + +static const char *const bind_agl_shell_desktop[] = { + "User::App::launcher", + "User::App::alexa-viewer", + "User::App::tbtnavi", + "User::App::hvac", + "User::App::xdg-cluster-receiver", /* cluster-receiver, native XDG app*/ + "User::App::cluster-receiver" /* cluster-receiver, Qt app */ +}; +#endif -static const char *const applications_permitted[] = { "homescreen", "alexa-viewer", - "launcher", "hvac", - "navigation", "mediaplayer" }; +static const char *const applications_permitted[] = { + "homescreen", "alexa-viewer", "launcher", "hvac", + "navigation", "mediaplayer" +}; /* helper start searches the applications_permitted for the * app_id @@ -51,6 +67,31 @@ ivi_policy_verify_permitted_app(const char *app_id) return false; } +#ifdef HAVE_SMACK +/* helper to determine which applications are allowed to bind to the + * private extensions + */ +static bool +ivi_policy_check_bind_agl_shell(const char *app_id) +{ + for (size_t i = 0; i < ARRAY_LENGTH(bind_agl_shell); i++) + if (strcmp(app_id, bind_agl_shell[i]) == 0) + return true; + + return false; +} + +static bool +ivi_policy_check_bind_agl_shell_desktop(const char *app_id) +{ + for (size_t i = 0; i < ARRAY_LENGTH(bind_agl_shell_desktop); i++) + if (strcmp(app_id, bind_agl_shell_desktop[i]) == 0) + return true; + + return false; +} +#endif + static bool ivi_policy_verify_ivi_surface(struct ivi_surface *surf) { @@ -124,15 +165,10 @@ ivi_policy_default_shell_bind_interface(void *client, void *interface) } if (strcmp(shell_interface->name, "agl_shell") == 0) - if (strcmp(label, "User::App::homescreen") == 0) - ret = true; + ret = ivi_policy_check_bind_agl_shell(label); if (strcmp(shell_interface->name, "agl_shell_desktop") == 0) - if (strcmp(label, "User::App::launcher") == 0 || - strcmp(label, "User::App::alexa-viewer") == 0 || - strcmp(label, "User::App::tbtnavi") == 0 || - strcmp(label, "User::App::hvac") == 0) - ret = true; + ret = ivi_policy_check_bind_agl_shell_desktop(label); if (ret) weston_log("Client with pid %d, uid %d, gid %d, allowed " |